DigiD Module
DigiD Overview
The DigiD login module provides the means to integrate DigiD authentication within your site. Certain parts of your site can be secured in such a way that visitors need to login using their DigiD credentials. The actual authentication process is handled by the DigiD site, however Smartsite initiates this process, re-directs the visitor to the DigiD site, and when the visitor has supplied its credentials and is re-directed back to your site, Smartsite executes a verification step and gives the visitor access to the site.
The DigiD login module, together with the Smartsite DigiD membership provider, needs to be configured to seamlessly integrate with DigiD authentication. This article describes the necessary (basic) steps.
DigiD membership provider
First of all, the DigiD membership provider needs to be configured as default membership provider within the web.config of your site.
XML | Copy Code |
---|---|
<membership defaultProvider="DigiDMembershipProvider" userIsOnlineTimeWindow="15"> <providers> <clear/> <add applicationName="Smartsite" name="SqlMembershipProvider" type="Smartsite.Security.Authentication.SqlMembershipProvider, Smartsite.Security" enablePasswordRetrieval="false" enablePasswordReset="false" passwordFormat="Clear" requiresQuestionAndAnswer="false" writeExceptionsToEventLog="true"/> <add applicationName="SmartsiteDigiD" internalprovider="SqlMembershipProvider" name="DigiDMembershipProvider" type="Smartsite.DigiD.DigiDMembershipProvider, Smartsite.DigiD" enablePasswordRetrieval="false" enablePasswordReset="true" passwordFormat="Clear" requiresQuestionAndAnswer="false" writeExceptionsToEventLog="true"/> </providers> </membership> |
Notice the internalprovider attribute for the DigiD membership provider. Since DigiD authentication will probably not be required for the entire site, this attribute can be used to configure an alternative membership provider, which will be used internally by the DigiD membership provider when no valid DigiD session is active.
DigiD Login Module
The DigiD membership provider will fall back on the configured internalprovider, unless a valid DigiD session is active. To establish a DigiD session, the DigiD login module should be called whenever DigiD authentication is required. The recommended way to achieve this, is first to create an DigiD login page (an item e.g. of contenttype Strict Web Page) which encapsulates the DigiD login process (the required introduction text, the actual login which includes a re-direct to the DigiD server and handling the result when DigiD re-directs back to the login page).
Smartsite SXML | Copy Code |
---|---|
{session.enable()} <se:if expression="request.query(login)==1"> <se:then> <se:digidlogin save="loginresult" profilename="simulator" impersonate="true" /> <se:switch> <se:case expression="$loginresult=='0040'"> <p>Inlog geannuleerd.</p> </se:case> <se:case> Fout [{buffer.get(loginresult)}] </se:case> </se:switch> </se:then> <se:else> <table width="100%"> <tr> <td valign="top"> De pagina die u probeert op te vragen vereist inloggen bij DigiD.<br /> Het kan zijn dat u dit nog niet gedaan heeft, of dat uw sessie is verlopen. <br /><br /> <a href="{url.setparameters(DIGID_LOGIN,'sourceurl='+request.query(sourceurl),'login=1')}">Klik hier om in te loggen bij DigiD</a> <br /> <a href="http://www.digid.nl/burger/">Klik hier voor meer informatie over DigiD</a> </td> <td width="180" valign="top"><a href="http://www.digid.nl" target="_blank"> <img src="/images/digid/DigiD_logo.gif" border="0" /></a></td> </tr> </table> </se:else> </se:if> |
Second step is to create a translation which checks if DigiD authentication is required for a specific item, and when that's the case checks whether a valid DigiD session (with sufficient access rights) is present.
Smartsite SXML | Copy Code |
---|---|
{sys.iif(security.contentaccess.getaccesslevel('digidaccess') GT digid.currentlevel(false), digid.redirecttologin(DIGID_LOGIN) )} |
Within this example, standard content access is used to configure DigiD access levels on specific items, the digid.currentlevel() viper is used to retrieve the users current access level (which defaults to 0 when there's no valid DigiD session), and the digid.redirecttologin() viper to redirect the user to the DigiD login page.
This translation should then be included within (e.g.) the appropriate render templates.
Enable Sessions
One of the requirements for DigiD authentication is that sessions must be enabled. This can be achieved by including the viper session.enable() within each item that requires DigiD authentication. As an alternative, you could create and configure a separate channel for DigiD related items and include the session.enable() viper within the appropriate render template(s).
This, in short, are the required configuration steps. For more details on the DigiD membership provider, the DigiD login module and the available DigiD vipers, see the articles listed below.